TRANSCRIPT:
"I think like many Australians, I don't think our privacy laws are good enough and that companies are working in the way that we would expect when it comes to looking after our personal information."
That's Maurice Blackburn's principal lawyer Lizzie O’Shea, talking about Australia's existing data privacy laws.
The law firm has lodged a complaint to the Office of the Australian Information Commissioner [[OAIC]], on behalf of the millions of customers whose data was stolen in a cyber attack.
"We lodged that representative complaint because the privacy Commissioner has authority to investigate breaches of the privacy Act, and we think this has breached the Privacy Act. We think Qantas hasn't done what it needed to do to protect personal information from unauthorised disclosure and use, of course, this investigation into the data breach is still ongoing, so we're still learning about how it took place."
Legal experts suggest the incident could lead to a class action against the carrier after compensation claims were made against Optus and Medibank following major data breaches in 2022.
Ms O'Shea says the situation shows the need for urgent reform.
She has told SBS News affected individuals should be able to bring a claim directly in court for a breach of the Privacy Act, rather than having to go through the Privacy Commissioner.
She says that will provide customers with quick and easy access should something like this occur.
"We at Morris Blackburn were approached by many people in the wake of this data breach who were upset and frustrated that this kind of event had occurred. Most Australians want stronger protections of their personal information and improved privacy rights. That's been shown over many surveys, including that conducted by the office of the Australian Information Commissioner over many years. So many people feel very annoyed that the laws don't reflect what they expect in terms of protecting their personal information and that they are the ones that have to suffer the consequences when companies lose control."
In a statement to SBS, the airline said they understand that a complaint has been lodged by Maurice Blackburn on behalf of some affected customers in relation to their recent cyber incident.
They say their focus is to continue supporting customers and working closely with the Australian Federal Police [[AFP]], the National Cyber Security Coordinator and the A-triple-C [[Australian Cyber Security Centre]] to thoroughly investigate what happened.
Meanwhile, Qantas has also been filing paperwork of its own, winning an interim injunction in the Supreme Court to prevent the stolen data from being accessed or published by anyone.
Professor Daswin De Silva from La Trobe University spoke to SBS On the Money podcast on the cyber attack.
He says Qantas have fairly advanced data governance frameworks and cybersecurity adherence frameworks and committees, oversight committees, and more.
"I believe Qantas could explore how these are also implemented across their third party providers. Sometimes third party outsourcing parts of the business operations comes at a cost saving. But this could also mean that some of those third party providers are not adhering to the same cybersecurity safeguards, best practises as the parent company."
He says scattered spider a group of hackers or threat actors that based on information available, are based in the US and the UK.
Mr De Silva says it seems to be a fairly novel, cyberattack group because they're using simple techniques compared to some of the other attacks in the past.
It could be an organisation that is distributed across countries or it could be just type of techniques adopted by different groups.
"The main technique is social engineering or impersonation attacks where phishing attacks, SIM swapping and multi-factor authentication, fatigue attacks. They're trying to manipulate the help desk function of a large organisation where the help desk has a different KPI because they want to serve, they want to make sure that the password is reset as quickly as possible and as safely as possible."
He says given that for large organisations, their KPI [[Key Performance Indicator]] is a faster service from start to end, this can be manipulated by hackers ((in terms of how much information the hackers have and how frequently they try to intrude into how the help desk functions)).
Mr De Silva told SBS On the Money podcast that in 2024 there were arrests made in relation to using this technique following breaches in the US.
But he says the hackers seem to have improvised from incidents that took place in the US into the UK, and now in Australia.
